Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/24/2008
08:03 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

UPDATE: Best Western Refutes (Some) Claims Of Hacker Compromise

Shortly after our post, Best Western Hotel Chain Pwned, which is based on the story that appeared here, Best Western e-mailed us a response that raises more questions than it answers. That statement, which is available

Shortly after our post, Best Western Hotel Chain Pwned, which is based on the story that appeared here, Best Western e-mailed us a response that raises more questions than it answers. That statement, which is available here, refutes some of the claims surrounding its breach, but certainly not all. Here's a deconstruction:

Best Western Responds to Sunday Herald Story Claiming Security Breach Hotel Chain Asserts No Evidence to Support Sensational Claims

The story printed in the Sunday, Aug. 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated. Claims reported about our Central Reservations customer records are not accurate. We at Best Western take the confidentiality of our customers' personal information very seriously. The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary. Best Western would have welcomed the opportunity to fact-check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper. We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.

First, the release states that there is "no evidence" to support the sensational claims in the news story. Well, to me, no evidence would mean "no evidence." Yet, fascinatingly, the company is admitting that the very reporter, for which there is "no evidence to support sensational claims," brought the fact that there was a breach to Best Western's attention. So, at least there is some evidence to support the claims. So what, exactly, is accurate, and what, exactly, is not in the story. We're not told.

Here's something interesting regarding the nature of the compromise:

Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure.
Security lesson: If there was a Trojan sitting somewhere on this system and sniffing Best Western's wires, it doesn't matter if the data was purged on guest departure, or not. It could have been grabbed in real-time, long before it was purged.

Best Western is committed to safeguarding the confidential information of our guests. We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest's reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.

PCI requires the periodic evaluation, testing, and re-certification of compliance. To that end, our most recent internal review was conducted in August 2008, as was our most recent external test and review. Both evaluations showed Best Western to be compliant with PCI DSS.

A couple of points on this paragraph. First, sounds like a decent, if not even above-average, approach to infosec for any business in the hospitality industry. And it's a shame that it appears they have been possibly compromised, but your adversary only needs to find a single, exploitable weakness. And one potential weakness in the paragraphs above is this: "we encrypt credit card information in our systems and databases and in any electronic transmission over public networks;" So should a traffic-sniffing Trojan get inside, it's got a shot at collecting data and then sending it someplace it shouldn't.

The next kicker has to do with Best Westerns PCI DSS claims. It's excellent that they're PCI DSS certified. Again, this points to good policy. But PCI DSS compliance does not mean secure. Compliance and security are two different things, and the status to both can change in a second.

The statement concludes:

Best Western would like to assure our customers, member hotels, and business partners that we have no evidence to suggest that there is need for widespread concern. As a precautionary measure, now and always, we advise guests to review their credit card statements closely, and we will of course continue to comply with PCI standards going forward. Customer inquiries should be directed to our U.S. customer service team at 800-528-1238.

I was happy to learn that there is no need for "widespread" concern.

I've e-mailed a couple of questions to Best Western, including their statement that this involves only a single hotel, and whether or not that hotel's network is connected to the rest of the chain, and how long the alleged Trojan may have been in place.

Still waiting for a response.

There are a number of takeaways from all of this. First, If you're learning that your systems may have been compromised from a reporter: you have big problems. Last time I covered a story like that was a few years ago, regarding this character. Second, don't start talking to the media about what may have transpired until you know, exactly, what has transpired. Third, let everyone know that you called the authorities -- there's absolutely no mention that this is now under criminal investigation. And the statement certainly didn't mention any outreach to potentially affected customers: it was nothing but corporate CYA.

UPDATE: Best Western has posted the following notice on its U.K. Web site, www.bestwestern.co.uk :

Best Western Security Breach

Best Western were notified of a security breach to its data systems on Friday afternoon and responded by closing this breach immediately. We are carrying out further investigations to ensure that all relevant procedural standards are met, and that the interests of our guests are protected. We do not believe the security breach has impacted GB customers but further investigations continue. We would like to offer reassurance to customers that all measures are taken to protect customer information and that Best Western takes any attack on this very seriously.

 

Recommended Reading:

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
All Videos
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Back Issues | Must Reads
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...